Experts said the passwords were likely hashed, a process used by most websites these days. But there are several methods of doing that, and the older "MD5" method, for example, is more vulnerable than a more modern method called "salting," said Wisniewski.
For now, researchers are left guessing and reading between the lines because Hold Security has not released more information.
"It will be interesting to see if public opinion pressures them," said Wisniewski.
Sign up for CIO Asia eNewsletters.